diff --git a/roles/etcd/tasks/gen_certs_vault.yml b/roles/etcd/tasks/gen_certs_vault.yml
index 4e3325b4f..13f796f5e 100644
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@@ -65,3 +65,9 @@
   with_items: "{{ etcd_node_certs_needed|d([]) }}"
   when: inventory_hostname in etcd_node_cert_hosts
   notify: set etcd_secret_changed
+
+- name: gen_certs_vault | ensure file permissions
+  shell: >-
+    find {{etcd_cert_dir }} -type d -exec chmod 0755 {} \; &&
+    find {{etcd_cert_dir }} -type f -exec chmod 0640 {} \;
+  changed_when: false